From here, with header diagram in hand, you should know be able to look at a packet dump and find the value you need, by counting from offset 0 to the correct field.
Some of the things you’ll want to look for (like IPv6 traffic or only ICMP traffic or a particular IP) can be done most efficiently with primitives.
Others, like, options in the IP header, which are rare and always suspicious can be done by by checking the header length field, but since the first byte in the IP header is broken into two fields of a nibble each, how do see just the header length, and not the IP version?
The answer is bitmasking. Bitmasking is hiding the bits we don’t want to see and leaving the ones we do, simply put. For example, let’s take the 13th byte (offset from zero, of course) in the TCP header.
Flags CWR ECE Urg Ack Push Reset Syn Fin
Binary Values 8 4 2 1 8 4 2 1
We have one byte, eight bits that comprise the TCP flags that can be set. We know from our basic networking that when one host wants to talk to another host, it sends a SYN (synchronize) packet to the IP address of the receiving host on the port the protocol should be listening on.
If the receiving host is listening on that port and ready to communicate, it sends a SYN-ACK packet back (synchronize acknowledgment).
The sending host confirms it’s received the reply and is ready to start communicating by sending an ACK packet back to the destination. This is commonly known as the TCP three way hand shake.
So in order to see all of the attempts to initiate a connection on the wire or in a packet capture, we would want to see all of the packets that only have the SYN flag set. Looking at our header of byte 13, we see that the SYN flag bit is in the second nibble (4 bits) and the next to last bit.
The way we write a BPF is to 1. specify the header, 2. the byte, and 3. any bitmasking needed to filter out additional bits. So to see only SYN packets we would write a BPF like this:
tcp = 2 – Note this shows us packets that ONLY the SYN packet is set.
We can also write a BPF to show any packets that the SYN flag is set, as well as any another flags. To do this, instead of checking the full value of byte 13, we just check to see if the SYN bit is set.
We would do this with a BPF like this: tcp & 0x02 != 0. Here we’re simply checking to see if the SYN bit is set to 1, or turned on. Any other flags could be active or not, we’re not checking for anything other than SYN.
*** This is a Security Bloggers Network syndicated blog from JeffSoh on NetSec authored by JeffSoh. Read the original post at: https://jeffsoh.blogspot.com/2021/02/pcaps-and-tools-that-love-them-part-3-of.html